Asda may have put millions of transactions at risk

Wednesday 20 January 2016 - Philip Gallagher

A fault in Asda’s website gave hackers the chance to collect customers' personal information and payment details, the BBC reported.

Security expert Paul Moore has estimated that Britain’s third largest supermarket chain, which confirmed this week it’s to axe hundreds of jobs, may have put millions of transactions at risk. He first noticed the issue in March 2014 and contacted Asda to report it.

Asda, which processes hundreds of thousands of online orders each week, said it had now fixed the problem and no customers had been affected.

"Asda and Walmart take the security of our websites very seriously,” a spokesperson told the BBC. “We are aware of the issue and have implemented changes to improve the security on our website.

The points flagged pose a low risk to customers and our monitoring of these security issues indicate that no customer information has been compromised over that two-year period.”

The Walmart-owned retailer said on Tuesday that the small risk to customer information had been removed and an update had been applied, insisting that further enhanced which would be completed on Tuesday evening, had been added.

“In short, one of the two issues is fixed but nothing that remains poses any risk to any customer information or card details."

The issue occurred as a result of cross-site scripting (XSS) and cross-site request forgery (CSRF), explained Moore. In layman’s terms, if a user had both the Asda website open alongside the tab of another site is infected with malware - they could be vulnerable to attack.

Moore believes that the grocer should should have acted more quickly to rectify the problem.

"Back in March 2014, I contacted Asda to report several security vulnerabilities and despite a fix promised 'in the next few weeks', little appears to have changed," he said.

In a blog he published, Moore advised customers "to shop elsewhere".

"Asda/Walmart have had ample opportunity to fix these issues and have failed to do so. If you must continue shopping with Asda, open a private window and do not open any other tabs or windows until you've logged out," he added.